[libvirt] [PATCH 2/3] qemu: Disallow usage of luks encryption if aes secret not possible
Daniel P. Berrange
berrange at redhat.com
Wed Jul 20 08:29:11 UTC 2016
On Tue, Jul 19, 2016 at 02:27:41PM -0400, John Ferlan wrote:
> Resolves a CI test integration failure with a RHEL6/Centos6 environment.
>
> In order to use a LUKS encrypted device, the design decision was to
> generate an encrypted secret based on the master key. However, commit
> id 'da86c6c' missed checking for that specifically.
>
> When qemuDomainSecretSetup was implemented, a design decision was made
> to "fall back" to a plain text secret setup if the specific cipher was
> not available (e.g. virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC))
> as well as the QEMU_CAPS_OBJECT_SECRET. For the luks encryption setup
> there is no fall back to the plaintext secret, thus if that gets set
> up by qemuDomainSecretSetup, then we need to fail.
>
> Also, while the qemuxml2argvtest has set the QEMU_CAPS_OBJECT_SECRET
> bit, it didn't take into account the second requirement that the
> ability to generate the encrypted secret is possible. So modify the
> test to not attempt to run the luks-disk if we know we don't have
> the encryption algorithm.
>
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
> src/qemu/qemu_domain.c | 7 +++++++
> tests/qemuxml2argvtest.c | 4 ++++
> 2 files changed, 11 insertions(+)
ACK
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list